Vexta CMOVexta CMO
FeaturesWho it's forPricingFAQ
Sign inStart free
Terms of ServicePrivacy PolicyRefund PolicyAcceptable UseData Processing AddendumSecurity overviewSub-processors

Security overview

Download PDF

This document provides a summary of the technical and organisational measures we apply to protect the information entrusted to us by our customers. It is intended for the use of security teams, procurement teams, and compliance reviewers evaluating Vexta CMO. For the contractual treatment of personal data please refer to our Data Processing Addendum. For a list of the third parties involved in delivering the service see our Sub-processors page.

Security Program Overview

Our information security program is designed around the confidentiality, integrity, and availability of customer information. The program follows recognised industry frameworks and is reviewed by management on a regular basis. The program is supported by documented policies and procedures, periodic risk assessments, role-based responsibilities, and ongoing personnel awareness activities. We adopt a defence-in-depth posture and aim to apply security controls at the network, infrastructure, application, operational, and personnel layers.

Encryption

Customer data is protected by encryption at rest and in transit using industry-standard cryptographic techniques. Sensitive information such as API credentials, integration tokens, and other secrets are encrypted at rest using strong symmetric encryption with authenticated cipher modes. Encryption keys are managed in accordance with our key-management procedures, including separation of duties and access logging. All network communications between customer endpoints and our services are protected with current versions of the Transport Layer Security protocol, configured to prefer modern cipher suites and forward secrecy. Where the platform issues custom-domain certificates for white-label deployments, certificates are obtained and renewed automatically through an established certificate authority.

Identity and Access Management

Authentication to the platform is performed using salted and cryptographically strong password hashing. Customer accounts may enable an additional time-based one-time-password second factor. Session management uses signed, time-limited credentials supported by a revocation mechanism that allows administrators to terminate active sessions immediately. Role-based access controls separate platform operators, workspace administrators, regular workspace users, and limited-access client users. Workspace administrators can further constrain access at the level of individual managed accounts and through granular permission flags. All administrative and platform-operator activity is recorded in the audit log. Sensitive operations performed by platform staff are limited to named individuals on a least-privilege basis and are subject to review.

Audit Logging

Every state-changing action performed through the platform is captured in an internal audit log, including the identity of the actor, the affected target, network metadata, and a structured description of the action. Audit records are retained in accordance with our retention policy and are available for export by customers in commonly used formats. Where customer administrators have been granted the appropriate permission, they can review the audit trail for their own workspace using in-product tooling.

Backups and Recovery

Customer data is backed up on a regular schedule. Backups are encrypted in transit and at rest and are stored on durable infrastructure. We follow a documented restoration procedure and verify the integrity of backups through periodic restoration exercises. Backups follow a rolling retention window appropriate to the operational and recovery requirements of the service.

Network and Infrastructure

The platform operates on professionally managed infrastructure in the European Union, with the use of a global content-delivery network and edge protection services for performance and availability. Network controls limit administrative access to production systems to authorised personnel and known network locations. Production environments are isolated from non-production environments and require explicit grants to access. We use a change-management process to govern modifications to production infrastructure and applications.

Application Security

Our software development practices include peer review of application changes, static and dynamic analysis where appropriate, dependency monitoring for known vulnerabilities, and the use of well-maintained third-party libraries. We follow industry-standard guidance for the secure design of web applications, including protections against injection attacks, cross-site scripting, cross-site request forgery, insecure deserialization, broken access control, and similar classes of vulnerability. Security relevant changes are reviewed prior to deployment.

Vulnerability Management

We monitor for newly disclosed vulnerabilities in our application stack and third-party dependencies and apply remediations on a risk-based timeline. Severe vulnerabilities are prioritized for immediate response. We invite security researchers and customers to report suspected vulnerabilities through our published security contact.

Data Segregation and Tenancy

The platform is a multi-tenant service. Customer data is logically segregated at the application layer so that each customer can only access its own data. Authorisation checks are applied on every request, and integration and configuration data for each customer are independently managed.

Personnel

Personnel with access to customer data are bound by confidentiality obligations and are required to complete security awareness training. Access to production systems is granted on a need-to-know basis, requires multi-factor authentication, and is reviewed regularly. Employment background checks are conducted to the extent permitted by applicable law.

Incident Response

We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Where an incident affects customer personal data we will notify affected customers in accordance with our Data Processing Addendum and applicable law. Customers and external parties may report suspected security incidents via the published security contact email.

Business Continuity

We maintain procedures to support service continuity in the event of significant operational disruption. These include redundancy in critical components, scheduled and tested backup and restoration routines, and documented runbooks for common failure modes.

Compliance Posture

We design our controls to align with widely recognised security and privacy frameworks. We support our customers' compliance obligations under regulations such as the General Data Protection Regulation, the United Kingdom General Data Protection Regulation, the California Consumer Privacy Act and the California Privacy Rights Act, and the Digital Personal Data Protection Act of India, among others. Additional certifications may be added over time; please contact us for the current status of our certifications and third-party assessments.

Customer Responsibilities

Security is a shared responsibility. Customers should establish strong authentication practices for their users, enable multi-factor authentication where available, manage access for their authorised users in accordance with the principle of least privilege, promptly revoke access when no longer required, treat access credentials and tokens as confidential, and configure their use of the platform consistent with their own risk profile and compliance requirements.

Reporting a Security Concern

Suspected security incidents, vulnerabilities, or other security concerns may be reported by email to [email protected]. We aim to acknowledge receipt of security reports within one business day. Sensitive disclosures can be sent under non-disclosure terms on request.

Last updated: 2026-05-17. Security teams seeking more detailed information than is provided here should email the address above; we typically respond to questionnaires within five business days.

Want a walk-through before you sign up?

We'll show you the autopilot, the white-label flow, and how the numbers add up for your accounts. 20 minutes, no slides.

Vexta CMO

Autonomous Google Ads management for solo founders, in-house teams, and white-label agencies - branded reports, per-client workspaces, and read-only-by-default safety.

[email protected]vitisecurity.com
All systems operational

Product

  • Features
  • Who it's for
  • Pricing
  • FAQ
  • Sign in
  • Start free

Use cases

  • For solo founders
  • For in-house marketers
  • For agencies
  • White-label
  • Branded reports

Resources

  • Security overview
  • Sub-processors
  • DPA (GDPR / DPDP)
  • Refunds
  • Acceptable use

Legal

  • Terms of Service
  • Privacy Policy
GDPR & DPDP-aligned
Encrypted at rest
Daily encrypted backups
Audit logging on every action
© 2026 Vexta CMO. All rights reserved.
PrivacyTermsDPA·Powered by Vexta CMO by VITI Security